Keeping patient health information secure is our highest priority. With that in mind, we keep data safe through every step of integration.
HITRUST is the leading and most widely recognized third-party auditing framework within healthcare. HITRUST evaluates enacted security measures against multiple industry standards and regulations to prove platform compliance. A rigorous and challenging test, our HITRUST CSF certification demonstrates to our partners that data security is the highest priority at Redox.
SOC2 is an industry-standard, technology service provider report verifying compliance and controls pertaining to Security and Availability. "Type 2" indicates that this is a multi-month, over-time evaluation period for compliance.
Redox contracts a number of independent auditing:
We undergo multiple third-party penetration tests yearly, including manual penetration testing on our application as well as internal and external network penetration testing for our infrastructure to identify potential system vulnerabilities. This ensures any security issues are resolved before they have a chance to arise and that data is properly guarded. Code audits are performed regularly to scan our code base and find and address any security vulnerabilities. Intrusion detection is used to monitor all system-level events and escalate any incongruent activity, like a user promoting their privileges or modifying files.
Between an application and Redox, end-to-end encryption is done to secure all data transmitted over an HTTPS connection. Within the Redox application, we support modern industry OAuth and SAML standards to authenticate applications that send to Redox and to authenticate with applications that receive information from Redox.
We store sensitive credentials as salted and hashed values for an additional layer of security. Redox supports Two-Factor Authentication for all users accessing the Redox Engine Dashboard, and requires it for all personnel with customer support responsibilities to further protect access to PHI.
TCP traffic from Health Systems is encrypted via a secure VPN connection. We use an IPsec protocol to ensure all traffic within the VPN is encrypted and authenticated. The VPN is consistently monitored with a heartbeat to ensure the connection remains healthy.
Redox staff must comply with Redox's acceptable-use policy prior to gaining access to any protected systems or data. This includes using strong passwords, encrypting their device, enabling multi-factor authentication on all applicable systems, undergoing security training appropriate to their role, running anti-malware endpoint protection, and running Redox's device provisioning application.
Redox maintains detailed processes in the event of a downtime, ranging from a simple container failure to large-scale regional failure of our AWS host. These scenarios are reviewed and tested regularly for accuracy and training.
Redox also maintains a structured process for identifying, escalating, and responding to security incidents. This process includes guidelines for ensuring containment of at-risk data, controls for system stability and performance, and a notification process if customers are affected.
Redox is committed to continually working on security enhancements as technology changes and our
infrastructure evolves. If you have any questions about our security measures or technology, feel free to
reach out to us.
(Please do not send any PHI over email under any circumstance).